Real-World Cybersecurity Success

Explore Neko Security's Case Studies and see our proven cybersecurity solutions in action. From advanced threat detection to robust security infrastructure design, these stories demonstrate how our specialist team delivers tangible results. Discover how we protect businesses from evolving cyber threats with our expert-led approach.

CLlENT

A fast growing Leading National Retailer was not happy with the service provided by their managed security service provider .  The Managed Security Service provider was delivering critical alerts too late, often 24 hours after the event, while other alerts were largely meaningless. Senior management recognised the need to provide better security detection & response to protect the business and its large customer base.

Neko Security were engaged, and worked quickly in designing and implementing a detection & response capability that delivered parity with the existing service in just two (2) days, and extended well beyond in just two weeks, including knowledge transfer to the internal team. 

The cyber security threat response was greatly improved, in rapid time.  The client continues to leverage and extend the platform with their own internal team.

THE IMPERATIVE: IMPROVE CYBER SECURITY DETECTION & RESPONSE CAPABILITY

With a dynamic and extensive IT environment, covering multiple brands, that was constantly growing, management made a decision to develop their own Cyber Security Detection & Response team.  The challenge was to move rapidly from the existing Managed Security Services provider to their own capability.

The team at Neko Security were engaged to undertake the development of a new Security Incident & Event Management system (SIEM) to drive better visibility and security threat detection, and additionally implement a new Security Orchestration & Automation system (SOAR), complete with new playbooks.

Knowledge transfer was a key aspect as the newly developed internal team needed to be able to manage, operate, monitor and respond to cyber threats.

CHALLENGE

The National Retailer needed to overcome a few key challenges to transition successfully to their internal team:

• Maintain Security During the Transition: Ensuring there was no interruption of security response capability was essential for the business. The tight timeline for cut-over meant the solution had to be built and on-parity in a short time frame.

• Deliver Critical Alerts Fast: Critical security alerts from the incumbent service were not being delivered in the timeframe expected. Many alerts were delivered up to 24 hours after the event occurred.  A mechanism to identify and escalate critical alerts in near real-time was essential.

• Provide Meaningful Threat Detections: Many of the alerts provided by the incumbent service were false positives and expected behaviour. This consumed analyst time in treating these events for little to no security value. This needed to be addressed quickly as the new in-house team had limited resources.

• Improve Visibility & Context for Better Decisions: The incumbent service provider had commodity detections only, leaving many systems, including business critical systems, exposed with no security monitoring.  The Retail business management required this to be addressed.

• Develop Playbooks for Incident Response: The new in-house team did not have any playbooks for responding to security detections. Playbooks needed to be identified, integrations and actions scoped, then developed prior to being developed in their new SOAR capability.

• Knowledge Transfer and Assistance: Transition of knowledge to the internal team in how to operate, tune, optimise and manage both the SIEM and SOAR capabilities was required for ongoing success.  Additional assistance in the upskilling and adoption phase was required. 

SOLUTION

Neko Security collaborated with the National Retailer, and their chosen vendor, to develop and implement a solution specific to the clients needs. This involved provisioning and configuring the platform, identifying and connecting data sources, developing threat detections, and developing the playbook and integrations to respond rapidly and effectively to the detected cyber threats.

SIEM COMPONENT - MEANINGFUL THREAT DETECTIONS

Having a modern, correctly configured and scalable SIEM was critical for success. Neko Security, having extensive experience in the field, took the lead in designing and implementing the SIEM with an approach that would deliver capability quickly to ensure the smooth transition:

• Maintain Security During the Transition: Identifying the requirements in terms of threat detections, data sources required, detection analytics and context for analysts was conducted via  workshops, discussions, research and leveraging Neko Security prior knowledge. This led to the SIEM design being developed early and configuration prepared prior to implementation to ensure a smooth transition with no gap in threat monitoring.

• Provide Meaningful Threat Detections: To enable improved security threat detection, Neko Security leveraged their knowledge and prior experience to identify the threats and relevant detections that the National Retailer was most likely to face. The most critical scenarios were addressed first, being delivered straight away, with no gap in security monitoring.  Further analytics were then enabled or developed to achieve parity with the incumbent provider, with Neko Security achieving this within 2 days.  Threat detections were then expanded to newer and wider detections of threats. 

• Improve Visibility & Context for Better Decisions: All detections were analysed by Neko Security, in conjunction with the internal security team, to optimise the detections; tune out false positives and accepted/expected events to reduce the internal security team’s analyst workload.  Additional data sources were correlated with the alerts to provide the internal security analysts with the necessary context information to make better informed decisions.

SOAR COMPONENT - RAPID AND EFFECTIVE RESPONSE

Having an automation and orchestration capability to treat security related events was required as a ‘force multiplier’ for the resource-restricted internal security team. Neko Security leveraged their extensive experience in this field to implement, configure and integrate a SOAR that would run the playbooks and power rapid security response:

• Develop Playbooks for Incident Response: The Neko Security team leveraged their knowledge of the detection scenarios, along with their prior knowledge to craft the playbooks necessary for the National Retailer.  The playbooks were initially documented steps and actions that the internal team could follow. These were tested against simulated events.

• Identify Integrations: Prior to implementing automated playbooks, actions and responses, it was necessary to identify the integrations necessary to make it happen.  Integration of the SIEM and SOAR, the SOAR and ticketing system, Microsoft 365/Entra ID, as well as the endpoint security agent were all identified and implemented.

• Automat Playbooks and Actions: The documented playbooks were then transposed into scripted responses in the SOAR platform with some automated and others augmented (requiring human decisions) with actions that were executed via the integrations.

KNOWLEDGE TRANSFER - EXPRESS ANALYST UPSKILL

With the internal, newly developed security team targeted to operate and manage the platform going forward, Neko Security took a collaborative approach to the implementation:

• Collaborative Solution Design: Neko security led the solution design, working closely with both the vendor and the internal security team. Decisions and designs were made together to ensure the internal team understood all facets of the solution. 

• Collaborative Development: Neko security led the solution implementation, making sure to include the internal security team for key components that they needed to know, but not wasting time on the things that were not relevant to the ongoing development or management. Screen sharing sessions and configuration with overwatch was provided, along with knowledge share sessions.

• Documentation: All components of the SIEM and SOAR platforms were documented in ‘As Built’ guides, along with the detections and playbooks. These were also documented and described within the detection analytic (SIEM) and the playbooks(SOAR).

RESULTS & IMPACTS

The solution delivered on all of the requirements within a tight 2 week timeframe:

• No Interruption to Security Response: Through prior planning, knowledge and experience, Neko Security were able to deliver the solution with no security service or monitoring interruption. 

• Rapid Parity & Improvement: Neko Security produced parity with the incumbent service provider within just two (2) days of the solution implementation.  Improvements were then incrementally applied over the next two (2) weeks with the business realising a great improvement over the previous incumbent service.

• Faster and Better Detection & Response: Critical alerts were delivered in near real-time within moments of the solution being implemented, a big improvement over the previous benchmark of many hours, often up to 24 hours.  Detection analytics were expanded to further detections, improving both accuracy and coverage.  Response playbooks provided rapid response capabilities to neutralise threats and allow analysts to work in a cohesive and collaborative manner, this was a completely new capability.

• Knowledge Transfer: The National Retailer security team were, and are, able to manage, operate, and develop both the detections, new data onboarding, and the playbook and responses themselves.

• Scalable Solution: The solution implemented, being cloud based, is highly scalable in terms of compute and storage.  With detections leveraging modelled data, this enables scalability in both data ingest, and automated inclusion in existing detections without human involvement or rework,.

• Ongoing Adoption: The complete solution continues to be used by the client, with further development, upscaling and increased playbook usage providing the business with a more complete and faster detection & response capability.

We continues to use, develop and expand the solution autonomously, demonstrating that all requirements were met or exceeded including knowledge transfer.

Head of Cyber Security